The Talk Of The Town

The Core of the Problem

Illustrated by Shiho Pate

In an ideal world, web standards and browser adoption would move in lockstep, allowing developers to use new features as quickly as they're agreed upon. In reality, we can't do that, so we slap libraries on top of them, injecting standard functionality where the standards don't exist. Perhaps because we're embarrassed by this, we give them a fancy name: polyfills.

Which brings us to Core-JS, arguably the most popular polyfill library. Even if your code doesn't use Core-JS, some dependency in your code almost certainly does, boosting its popularity. It's so popular, in fact, that the creator took to using the post-install messages to politely request a job, which some users perhaps didn't take a kind view toward, based on their sarcastic reactions.

Now, Denis Pushkarev isn't just the original author and main contributor to Core-JS, but is practically the only contributor to this widely used library. You'll note that his contributions suddenly stopped back in January 2020. Mr. Pushkarev, sadly, was involved in a traffic accident and will be spending time in prison as a result.

As you can imagine, this has created a bit of a crisis in governance. That thread summarizes two ideas that seem strongly held in the community. First, this could have been avoided if Mr. Pushkarev was less possessive and opened the project to more contributors. Second, the project now needs to be forked. Valid objections or not, "enitihas" on Hacker News points out, "A lot of people who are complaining about there being only a single maintainer, seem to have no open source contribution history on github. If the project is important to so many people, they sure didn't show it by donating to the maintainer."

Another contributor has offered to step up, but as The Register points out, that's hardly enough to maintain faith in the project. The Register also brings up another project "jsrsasign," a crypto library that was quiet from 2018 to only a few weeks ago but is used by hundreds of other NPM libraries (and by extension, probably many projects).

In the end, we're looking at another riff on the infamous Left Pad debacle. Or the time crypto coin–stealing malware showed up in an NPM package. But let's not pretend that NPM is the problem here. A 2015 study tried to determine the "Truck Factor" of important open source projects. What is the Truck Factor?

The Truck Factor designates the minimal number of developers that have to be hit by a truck (or quit) before a project is incapacitated.

Their core findings? Thirty-four percent of the most popular GitHub projects had a Truck Factor of one. Thirty percent had a Truck Factor of two. Huge projects that all depend on the efforts of one or two people, projects that are the vision of those one or two people.

And even when a project has a larger number of contributors, the community will rally around a single important contributor. In the Python world, for example, Guido Van Rossum was the creator and "Benevolent Dictator for Life"…until he wasn't anymore. Or, in the Linux kernel, you have a culture built around Linus Torvalds's idiosyncrasies, which even he recognizes may be toxic.

In the case of Core-JS and other NPM projects, we have a developer framework built around long dependency chains. This exacerbates a problem that impacts the entire open source community: building and managing a team is hard, and programming by yourself may just be easier.

There's no specific solution to this problem. To me, it points to a whole interconnected system of cultural problems and blind spots. There's an element of auteur theory that infects software development: certain software products can only be the product of a singular mind. Deep down, many of us fancy ourselves as that lone genius, capable of great feats. It ties into what I think of as the "myth of meritocracy," the idea that great developers will rise to the top of the social hierarchy and be rewarded—but if "great" means "writes software people use," one has to wonder why Mr. Pushkarev had to go begging for paying gigs in the Core-JS post-install log. Finally, I think there's the cold reality that building a team or a community around maintaining a piece of software is hard work and it's work that requires wildly different skills than software development.

In the end, Core-JS is just another instance of an omnipresent problem in the open source community. Everyone could contribute, but so few do contribute. Everyone who starts a project could build a community around it, but so few do. We all benefit from valuable libraries existing in the wild, but ensuring a healthy open source ecosystem requires a lot more than just npm installing our dependencies.

Remy Porter

author

Remy is a veteran developer who provides software for architectural installations with IonTank.

He's often on stage, doing improv comedy, but insists that he isn't doing comedy- it's deadly serious. You're laughing at him, not with him. That, by the way, is usually true- you're laughing at him, not with him.

Shiho Pate

illustrator

California based Illustrator Shiho Pate has been in the games industry for 10+ years. Now she is shifting her focus on editorial and children's book Illustrations. For more information please visit www.shihopate.com and follow her on twitter and instagram @shihopate